Carte Blanche recently highlighted the problem of invoice scams in South Africa, where companies and individuals are scammed out of large amounts of money.
This report follows the high-profile case where Goliath and Goliath and its subsidiary The PR Bailiff were scammed out of R285,000 by hackers who intercepted and altered their invoices.
Sarah Rutherford from analytics software company FICO explained that fraud like this is known as “authorised push payment fraud”.
This happens when fraudsters deceive a business or customer into sending them a payment under false pretences to a bank account controlled by the fraudster.
If the payment is made using the South African SAMOS clearing system, it is irrevocable. Victims cannot reverse a payment once it has been settled, even if they realise they have been conned.
How this scam works
Fake invoice fraud is not complicated to understand, but require some skills in the hacking or cyber-security field. Here is how it works:
- The fraudsters use social engineering techniques or other hacking tools to gain access to a person’s email account.
- They then intercept an invoice sent via email before it reaches the party which must pay the invoice.
- They change the banking details on the invoice to their own banking details.
- They send the fraudulent invoice to the party which must pay the invoice via the official email account.
- The company or person pay the invoice, but the money lands in the fraudsters’ account, and it is gone forever.
The altered invoice looks exactly like one from your service provider – the only difference is the banking details.
No link between bank account number and the name
The fraudsters rely on a weakness in the banking system where a bank account name and number does not need to match for a successful transaction to occur.
The criminals can therefore create a fraudulent bank account and put that bank account number on an invoice for any company.
When money is paid into the fraudulent account, the transaction is not blocked or flagged because the bank account number and name do not match.
After the payment is made into the fraudster’s account, the money is quickly moved to multiple other bank accounts and it is gone forever.
Payments Association of South Africa (PASA) CEO Walter Volker explained that there is always a balance between “risk and fraud management” and “convenience and cost”.
He said it is possible to create a more secure system, but that will also mean people will be inconvenienced and the cost will increase.
How to protect yourself
People who are paying invoices received electronically are advised to verify the banking details of the party which they pay before making the payment.
The video below from Carte Blanche explains the fake invoice scam in more detail.